sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
15.07.2013 Views
Share Embed Flag

sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab

sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab

sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
crysys.hu

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

23:36:43,0717217 iexplore.exe 3520 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />

NT\CurrentVersion\Drivers32\wave8 SUCCESS Type: REG_SZ, Length: 2, Data:<br />

23:37:02,2292562 iexplore.exe 3632 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />

NT\CurrentVersion\Drivers32\wave8 SUCCESS Type: REG_SZ, Length: 2, Data:<br />

Figure 26 – Wave8 communications<br />

4.3. Compression and table formats<br />

The file ntcache.dat found among the DAT files contains logs from the inspected target<br />

computer. However, there are references for ntcache.dat as SFS Storage.<br />

STORAGE.SFS.FILES.ntcache?dat.REINITIALIZE_ME<br />

STORAGE.SFS.FILES.ntcache?dat.DELETE_ME<br />

STORAGE.SFS.FILES.lmcache?dat.MAX_SIZE<br />

STORAGE.SFS.FILES.lmcache?dat.BACKUP<strong>sKyWIper</strong><br />

Figure 27 –Winlogon.exe with injected code working with ccalc32.sys - procmon<br />

We present the beginning of the binary format for ntcache.dat below.<br />

0000000000: 02 30 30 30 30 30 30 31 │ 45 5C 30 30 30 30 30 30 ☻0000001E\000000<br />

0000000010: 30 30 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00 00<br />

0000000020: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

0000000030: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

0000000040: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

0000000060: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

0000000070: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

0000000080: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

0000000090: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

00000000A0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

00000000B0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

00000000C0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

00000000D0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

00000000E0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

00000000F0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00<br />

0000000100: 00 96 02 00 00 E6 57 1B │ 5B 5E 88 CC 01 01 00 00 ľ☻ ŠW←[^ł╠☺☺<br />

0000000110: 00 28 01 0A 00 00 00 FF │ FF 00 00 43 00 4D 00 44 (☺◙ C M D<br />

0000000120: 00 02 00 00 00 33 00 0C │ 00 00 00 FF FF 00 00 44 ☻ 3 ♀ D<br />

0000000130: 00 45 00 53 00 43 00 0C │ 00 00 00 42 00 47 00 66 E S C ♀ B G f<br />

0000000140: 00 4C 00 6F 00 77 00 2A │ 00 00 00 FF FF 00 00 52 L o w * R<br />

0000000150: 00 45 00 51 00 55 00 45 │ 00 53 00 54 00 45 00 44 E Q U E S T E D<br />

0000000160: 00 5F 00 46 00 49 00 4C │ 00 45 00 5F 00 4E 00 41 _ F I L E _ N A<br />

Figure 28 – Binary format of ntcache.dat (beginning)<br />

We could not decide if the format is custom or just some strange binary format. A<br />

comparison with ~HLV473.tmp, a file that contains a list of running processes, reveals the<br />

sequences “78 DA ED” and “78 DA 73” standing for a zlib inflate compressed format.<br />

<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />

Budapest University of Technology and Economics<br />

www.crysys.hu 34

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!